https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475844#M192600 <P>I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data</P> <P>("String1" AND "String2") | timechart count span=1h |sort -_time</P> <P>Can you please review your query above once</P> Wed, 15 Apr 2020 16:21:41 GMT ataunk 2020-04-15T16:21:41Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475840#M192596 <P>I want to write a query to take the count if two non-consecutive string occurs in a statement. I am trying to do something like this, but this is not able to take logical AND operator in the match method :</P> <P>Note : I want to use the query using eval only as in my larger query I have to perform some mathematical operation using more (different) eval variables.</P> <P>| eval concatsearch=if(match(_raw,"String1 &amp;&amp; String2"),1,0) |<BR /> eval ccount=if(match(_raw,"cc"),1,0) | <BR /> timechart span=1h <BR /> sum(concatsearch) as concatsearch,<BR /> sum(ccount) as ccount</P> Wed, 30 Sep 2020 05:00:40 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475840#M192596 ataunk 2020-09-30T05:00:40Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475841#M192597 <P>There are many ways to do that, but this one should work:</P> <PRE><CODE> | eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0) </CODE></PRE> <P>If either string is not matched, a zero value will result, if both match, a 1 value will result.</P> Tue, 14 Apr 2020 17:13:36 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475841#M192597 DalJeanis 2020-04-14T17:13:36Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475842#M192598 <P>Thanks so much. It works. Love Splunk comunity.</P> Tue, 14 Apr 2020 17:17:42 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475842#M192598 ataunk 2020-04-14T17:17:42Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475843#M192599 <P>Yeah, me too. Okay, if that solved your problem, then please "accept" the answer, so it will show as solved.</P> Wed, 15 Apr 2020 15:25:30 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475843#M192599 DalJeanis 2020-04-15T15:25:30Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475844#M192600 <P>I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data</P> <P>("String1" AND "String2") | timechart count span=1h |sort -_time</P> <P>Can you please review your query above once</P> Wed, 15 Apr 2020 16:21:41 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475844#M192600 ataunk 2020-04-15T16:21:41Z https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475845#M192601 <P>Also, the entire query I am running is :</P> <P>| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)<BR /> | timechart sum(concatsearch) span=1h</P> <P>And I get 0 results, but those string are actually there. Am I doing something worng while using the sum and timechat ?</P> Wed, 30 Sep 2020 04:57:29 GMT https://community.splunk.com/t5/Splunk-Search/count-if-two-nonconsecutive-string-occurs-in-a-statement/m-p/475845#M192601 ataunk 2020-09-30T04:57:29Z